添加自定义过滤器在Spring Security认证过程

Question

现在，我的身份验证已使用用户名和密码完成。 我想再添加一个步骤，以便它检查用户是否被激活。 我有一个用户表，如果用户已激活帐户，该表将保存值。

我有我的SecurityConfig.java

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // This somehow works but only if the account is not validated
        // auth.authenticationProvider(new UserActivatedAuthenticationProvider(userService));

        auth.userDetailsService(userDetailsService).passwordEncoder(new ShaPasswordEncoder(encodingStrength));

}

和UserActivatedAuthenticationProvider.java

@Component
public class UserActivatedAuthenticationProvider implements AuthenticationProvider {

private final UserService userService;

@Autowired public UserActivatedAuthenticationProvider(UserService userService) {
    this.userService = userService;
}

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    String name = authentication.getName();
    User user = userService.findByEmail(name);

    if (user != null) {
        if (!user.isActivated()) {
            throw new BadCredentialsException(name + " email is not activated.");
        }
    }

    Object credentials = authentication.getCredentials();

    if (!(credentials instanceof String)) {
        return null;
    }

    String password = credentials.toString();
    Authentication auth = new UsernamePasswordAuthenticationToken(name, password);

    return auth;
}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

}

我只想在激活帐户后才继续进行身份验证。 由于无法获取用户名，因此无法在AuthenticationManagerBuilder使用userService 。 我正在将该项目用作种子。 简而言之...我还想检查is_activated列的值，并像现在一样基于该值进行操作（用户名和密码验证）。

Answer 1

你并不需要一个AuthenticationProvider 。 您需要实现UserDetailsService如下;

@Service
public class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private UserService userService;

    public UserDetails loadUserByUsername(String username)
                        throws UsernameNotFoundException {
        User user = userService.findByEmail(username);
        if(user == null) {
            throw new UsernameNotFoundException(username);   
        }

        return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, user.getRoles().stream().map(role -> role.getRoleName()).map(SimpleGrantedAuthority::new).collect(Collectors.toList()));

    }
}

弹簧类org.springframework.security.core.userdetails.User作为属性命名enabled的，你可以通过你的user.isActivated()从数据库标志。

Answer 2

您可以通过提供自定义的用户信息服务做到这一点。

@Autowired
private CustomUserDetailsService customUserDetailsService ;

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {    
        auth.userDetailsService(customUserDetailsService ).passwordEncoder(new ShaPasswordEncoder(encodingStrength));

}

和

@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    private UserService userService;

    public UserDetails loadUserByUsername(String username)
                        throws UsernameNotFoundException {
        User user = userService.findByEmail(username);
        if(user == null) {
            throw new UsernameNotFoundException(username);   
        }

            Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();        
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("USER");
            authorities.add(grantedAuthority);
        return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, authorities );

    }
}

现在，基于第三PARAM的布尔值，春季安全会自动允许/拒绝用户登录，并且还会为用户如果没有激活邮件“被禁用的用户”。